System and method for identifying exploitable weak points in a network

US 9,860,265 B2
Filed: 04/17/2015
Issued: 01/02/2018
Est. Priority Date: 06/27/2012
Status: Active Grant

First Claim

Patent Images

1. A system for predicting attack paths in a network, comprising:

one or more scanners configured to determine one or more network addresses and one or more open ports associated with one or more connections in the network; and

one or more hardware processors coupled to the one or more scanners, wherein the one or more hardware processors are configured to;

identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections;

model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host;

simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and

determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.

173 Citations

35 Claims

1. A system for predicting attack paths in a network, comprising:
- one or more scanners configured to determine one or more network addresses and one or more open ports associated with one or more connections in the network; and
  
  one or more hardware processors coupled to the one or more scanners, wherein the one or more hardware processors are configured to;
  
  identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections;
  
  model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host;
  
  simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and
  
  determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address that permits external access on one or more predetermined ports; and
      
      determine that the at least one network address corresponds to a host that has a remotely exploitable service based on the permitted external access on the one or more predetermined ports, wherein the one or more exploitable weak points include at least the remotely exploitable service associated with the at least one network address.
  - 3. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more an exploitable service that permits remote or uncredentialed checks, an exploitable service on one or more predetermined ports, or a remotely exploitable patch audit associated with a low access complexity rating; and
      
      determine that the at least one network address corresponds to a host that has an internally exploitable service, wherein the one or more exploitable weak points include at least the internally exploitable service associated with the at least one network address.
  - 4. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address paired with one or more open ports that accept external connections; and
      
      determine that a host corresponding to the at least one network address has a remotely exploitable service in response to the host further having an internally exploitable service, wherein the one or more exploitable weak points include at least the internally exploitable service and the remotely exploitable service associated with the at least one network address.
  - 5. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more exploitable services on port zero; and
      
      determine that the at least one network address corresponds to a host that has exploitable client software based on the one or more exploitable services on port zero, wherein the one or more exploitable weak points include at least the exploitable client software associated with the at least one network address.
  - 6. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; and
      
      determine that the at least one network address corresponds to a host that has exploitable client software based on the one or more remotely exploitable patch audits associated with one or more of the medium or high access complexity rating, wherein the one or more exploitable weak points include at least the exploitable client software associated with the at least one network address.
  - 7. The system recited in claim 6, wherein the one or more hardware processors are further configured to:
    - identify, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address that corresponds to one or more of a mobile device, a host that connects to a destination external to the network, or a host that uses one or more proxy or mail gateway protocols;
      
      determine, based on the one or more network connections, that the at least one network address has one or more of an exploitable service on port zero or a remotely exploitable patch audit associated with a medium or high access complexity rating; and
      
      determine that the host corresponding to the at least one network address has exploitable client software and connects to or processes content from one or more remote networks, wherein the one or more exploitable weak points include at least the exploitable client software on the host that connects to or processes content from the one or more remote networks.
  - 8. The system recited in claim 1, wherein the one or more hardware processors are further configured to identify, among the one or more network connections, at least one internal connection from a source host in the network to a destination host in the network, wherein the modeled one or more trust relationships associate a network address corresponding to the destination host with a network address corresponding to the source host based on the at least one internal connection.
  - 9. The system recited in claim 8, wherein the one or more hardware processors are further configured to determine that the destination host accepts an exploitable trust relationship from a remotely exploitable source host in response to the source host having a remotely exploitable service, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the remotely exploitable source host.
  - 10. The system recited in claim 8, wherein the one or more hardware processors are further configured to determine that the destination host accepts an exploitable trust relationship from a remotely exploitable source host in response to the source host having exploitable client software and connecting to or processing content from one or more remote networks, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the remotely exploitable source host.
  - 11. The system recited in claim 8, wherein the one or more hardware processors are further configured to determine that the destination host accepts an exploitable trust relationship from an internally exploitable source host in response to the source host having one or more of an internally exploitable service or exploitable client software, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the internally exploitable source host.
  - 12. The system recited in claim 1, wherein the one or more hardware processors are further configured to:
    - select the at least one host associated with the simulated attack based on the host having at least one internally exploitable service, wherein the selected host comprises a destination host associated with at least one internal connection identified in the network;
      
      use the modeled one or more trust relationships to determine one or more network addresses that correspond to one or more source hosts that have connected to a network address associated with the destination host; and
      
      process the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host to determine the one or more network addresses that could be used to compromise the at least one host.
  - 13. The system recited in claim 12, wherein the one or more hardware processors are configured to process the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host via a simulation algorithm that further causes the one or more hardware processors to:
    - select a current network address among the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host;
      
      determine that the one or more network addresses that could be used to compromise the at least one host include the current network address in response to the source host associated with the current network address connecting to the destination host on an exploitable port, wherein an exploitation path to reach the exploitable vulnerability on the at least one host includes an exploit used to connect the source host to the destination host on the exploitable port;
      
      use the modeled one or more trust relationships to determine one or more second order network addresses that correspond to one or more source hosts that have connected to the current network address in response to the source host associated with the current network address having an internally exploitable service, wherein the one or more second order network addresses exclude any network addresses that are included among the one or more network addresses that could be used to compromise the at least one host and one or more hosts in the network that have one or more internally exploitable services; and
      
      execute the simulation algorithm to iteratively process the one or more second order network addresses that correspond to the one or more source hosts that have connected to the current network address until no further second order network addresses are determined.
  - 14. The system recited in claim 13, wherein the simulation algorithm further causes the one or more hardware processors to iteratively process the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host until all source hosts that have connected to the destination host have been processed.
  - 15. The system recited in claim 1, wherein the one or more hardware processors are further configured to generate a report that describes an exploitation path that the one or more network addresses could use to compromise the at least one host based on the simulated attack according to one or more severity levels.
  - 16. The system recited in claim 1, wherein the one or more exploitable weak points include one or more of a network vulnerability having a publicly known exploit associated therewith or a network vulnerability satisfying one or more predetermined criteria associated with a vulnerability scoring system.
  - 17. The system recited in claim 1, further comprising a log aggregator configured to collect one or more events that describe activity in the network, wherein the one or more hardware processors are further configured to model the one or more trust relationships and identify the one or more exploitable weak points in the network based on the one or more events collected at the log aggregator.

18. A method for predicting attack paths in a network, comprising:
- configuring one or more scanners to determine one or more network addresses and one or more open ports associated with one or more connections in the network;
  
  identifying, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections;
  
  modeling one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host;
  
  simulating an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and
  
  determining that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 19. The method recited in claim 18, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address that permits external access on one or more predetermined ports; and
      
      determining that the at least one network address corresponds to a host that has a remotely exploitable service based on the permitted external access on the one or more predetermined ports, wherein the one or more exploitable weak points include at least the remotely exploitable service associated with the at least one network address.
  - 20. The method recited in claim 18, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more an exploitable service that permits remote or uncredentialed checks, an exploitable service on one or more predetermined ports, or a remotely exploitable patch audit associated with a low access complexity rating; and
      
      determining that the at least one network address corresponds to a host that has an internally exploitable service, wherein the one or more exploitable weak points include at least the internally exploitable service associated with the at least one network address.
  - 21. The method recited in claim 18, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address paired with one or more open ports that accept external connections; and
      
      determining that a host corresponding to the at least one network address has a remotely exploitable service in response to the host further having an internally exploitable service, wherein the one or more exploitable weak points include at least the internally exploitable service and the remotely exploitable service associated with the at least one network address.
  - 22. The method recited in claim 18, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more exploitable services on port zero; and
      
      determining that the at least one network address corresponds to a host that has exploitable client software based on the one or more exploitable services on port zero, wherein the one or more exploitable weak points include at least the exploitable client software associated with the at least one network address.
  - 23. The method recited in claim 18, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address having one or more remotely exploitable patch audits associated with one or more of a medium access complexity rating or a high access complexity rating; and
      
      determining that the at least one network address corresponds to a host that has exploitable client software based on the one or more remotely exploitable patch audits associated with one or more of the medium or high access complexity rating, wherein the one or more exploitable weak points include at least the exploitable client software associated with the at least one network address.
  - 24. The method recited in claim 23, further comprising:
    - identifying, among the one or more network addresses and the one or more open ports associated with the one or more network connections, at least one network address that corresponds to one or more of a mobile device, a host that connects to a destination external to the network, or a host that uses one or more proxy or mail gateway protocols;
      
      determining, based on the one or more network connections, that the at least one network address has one or more of an exploitable service on port zero or a remotely exploitable patch audit associated with a medium or high access complexity rating; and
      
      determining that the host corresponding to the at least one network address has exploitable client software and connects to or processes content from one or more remote networks, wherein the one or more exploitable weak points include at least the exploitable client software on the host that connects to or processes content from the one or more remote networks.
  - 25. The method recited in claim 18, further comprising identifying, among the one or more network connections, at least one internal connection from a source host in the network to a destination host in the network, wherein the modeled one or more trust relationships associate a network address corresponding to the destination host with a network address corresponding to the source host based on the at least one internal connection.
  - 26. The method recited in claim 25, further comprising determining that the destination host accepts an exploitable trust relationship from a remotely exploitable source host in response to the source host having a remotely exploitable service, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the remotely exploitable source host.
  - 27. The method recited in claim 25, further comprising determining that the destination host accepts an exploitable trust relationship from a remotely exploitable source host in response to the source host having exploitable client software and connecting to or processing content from one or more remote networks, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the remotely exploitable source host.
  - 28. The method recited in claim 25, further comprising determining that the destination host accepts an exploitable trust relationship from an internally exploitable source host in response to the source host having one or more of an internally exploitable service or exploitable client software, wherein the one or more exploitable weak points include at least the exploitable trust relationship that the destination host accepts from the internally exploitable source host.
  - 29. The method recited in claim 18, further comprising:
    - selecting the at least one host associated with the simulated attack based on the host having at least one internally exploitable service, wherein the selected host comprises a destination host associated with at least one internal connection identified in the network;
      
      using the modeled one or more trust relationships to determine one or more network addresses that correspond to one or more source hosts that have connected to a network address associated with the destination host; and
      
      processing the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host to determine the one or more network addresses that could be used to compromise the at least one host.
  - 30. The method recited in claim 29, wherein the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host are processed using a simulation algorithm that comprises:
    - selecting a current network address among the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host;
      
      determining that the one or more network addresses that could be used to compromise the at least one host include the current network address in response to the source host associated with the current network address connecting to the destination host on an exploitable port, wherein an exploitation path to reach the exploitable vulnerability on the at least one host includes an exploit used to connect the source host to the destination host on the exploitable port;
      
      using the modeled one or more trust relationships to determine one or more second order network addresses that correspond to one or more source hosts that have connected to the current network address in response to the source host associated with the current network address having an internally exploitable service, wherein the one or more second order network addresses exclude any network addresses that are included among the one or more network addresses that could be used to compromise the at least one host and one or more hosts in the network that have one or more internally exploitable services; and
      
      executing the simulation algorithm to iteratively process the one or more second order network addresses that correspond to the one or more source hosts that have connected to the current network address until no further second order network addresses are determined.
  - 31. The method recited in claim 30, wherein the simulation algorithm further comprises iteratively processing the one or more network addresses that correspond to the one or more source hosts that have connected to the destination host until all source hosts that have connected to the destination host have been processed.
  - 32. The method recited in claim 18, further comprising generating a report that describes an exploitation path that the one or more network addresses could use to compromise the at least one host based on the simulated attack according to one or more severity levels.
  - 33. The method recited in claim 18, wherein the one or more exploitable weak points include one or more of a network vulnerability having a publicly known exploit associated therewith or a network vulnerability satisfying one or more predetermined criteria associated with a vulnerability scoring system.
  - 34. The method recited in claim 18, further comprising:
    - configuring a log aggregator to collect one or more events that describe activity in the network; and
      
      using information associated with the one or more events collected at the log aggregator to model the one or more trust relationships and identify the one or more exploitable weak points in the network.

35. A computer-readable storage device having computer-executable instructions stored thereon for predicting attack paths in a network, wherein the computer-executable instructions are configured to cause one or more processors to:
- configure one or more scanners to determine one or more network addresses and one or more open ports associated with one or more connections in the network;
  
  identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections;
  
  model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host;
  
  simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and
  
  determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tenable, Inc. (Tenable Holdings, Inc.)
Original Assignee
Tenable Network Security Incorporated (Tenable Holdings, Inc.)
Inventors
Gula, Ron, Deraison, Renaud
Primary Examiner(s)
Williams, Jeffery

Application Number

US14/689,762
Publication Number

US 20150222655A1
Time in Patent Office

991 Days
Field of Search
US Class Current
CPC Class Codes

H04L 41/12   Discovery or management of ...

H04L 63/1433   Vulnerability analysis

H04L 67/10   in which an application is ...

System and method for identifying exploitable weak points in a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

173 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying exploitable weak points in a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

173 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links